The U.S. Crackdown on Hackers Is Our New War on Drugs

Before Edward Snowden showed up, 2013 was shaping up as the year of reckoning for the much criticized federal anti-hacking statute, the Computer Fraud and Abuse Act (“CFAA”). The suicide of Aaron Swartz in January 2013 brought the CFAA into mainstream consciousness, so Congress held hearings about the case, and legislative fixes were introduced to change the law.

Recognizing the powerful capabilities of modern computing and networking has resulted in ‘cyber panic’ in legislatures and prosecutor offices across the country.

Finally, there seemed to be a newfound scrutiny of CFAA prosecutions and punishment for accessing computer data without or in excess of “authorization” — which affected everyone from Chelsea Manning to Jeremy Hammond to Andrew “Weev” Auernheimer (disclosure: I’m one of his lawyers on appeal). Not to mention less illustrious personalities and everyday users, such as people who delete cookies from their browsers.

But unfortunately, not much has changed; if anything, the growing recognition of the powerful capabilities of modern computing and networking has resulted in a “cyber panic” in legislatures and prosecutor offices across the country. Instead of reexamination, we’ve seen aggressive charges and excessive punishment.

This cyber panic isn’t just a CFAA problem. In the zeal to crack down on cyberbullying, legislatures have passed overbroad laws criminalizing speech clearly protected by the First Amendment. This comes after one effort to use the CFAA to criminalize cyberbullying — built on the premise that violating a website’s terms of service was unauthorized access, or the equivalent of hacking — was thrown out as unconstitutionally vague.

The panic has even spread to how crime is investigated. To prevent digital contraband from coming into the United States, border officials can now search electronic devices without any suspicion of wrongdoing. To get to illicit files on a seized computer, the government can force you to decrypt your computer and threaten you with jail for noncompliance. To get information about one customer, the FBI can demand a service provider turn over the key that unlocks communications from all of the service’s customers. And let’s not even get started on what the NSA has been up to.

The Problem of Excessive Punishment

There’s no doubt that there are good intentions here: to catch bad guys, keep people safe, and preserve some order in a chaotic and changing world. But this “cyber panic,” particularly with the excessive and aggressive use of the CFAA, comes with a real consequence: locking up people in prison for years.

Take the case of Matthew Keys, a former social media editor at Reuters, charged with violating the CFAA in federal court in Sacramento. He allegedly turned over the username and password of a server belonging to the Tribune Company to members of Anonymous, who made changes to the article of a headline in a Los Angeles Times story online. Among other changes, the headline was changed from “Pressure builds in House to pass tax-cut package” to “Pressure builds in House to elect CHIPPY 1337.” It seems like a clear-cut case of vandalism, a prank that caused some damage but little other harm.

Under California law, physical vandalism — like spray painting graffiti on a building — can be punished as either a misdemeanor or a felony, with probation available for both types of charges. If probation is granted, the longest sentence a defendant can serve as a condition of probation is one year in county jail.

But look at the punishment awaiting Keys. He didn’t get charged with a misdemeanor; he got indicted on three felony charges, for which he faces a harsh prison sentence. No, he won’t get anything close to the 10-year maximum. But a cursory calculation of his potential sentence under the federal sentencing guidelines suggest he’s looking at a sentence between 21 and 27 months — about three years of his life — if he decides to go to trial and loses.

Here are more details on how such sentencing works:

…Federal sentencing is based on two things: the seriousness of a crime and the person’s criminal history. The two factors are plotted on a table, with the y-axis a scale of 1 to 43 “levels” that determines the seriousness of a crime, and the x-axis a scale of I to VI that measures criminal history. At sentencing, the judge must determine both scores, plot them on the table, and determine the sentencing range in months, which the court can follow or disregard at its own discretion.

…Someone like Keys, who has no criminal history, is in criminal history category I. The starting point for most CFAA crimes is level 6, which is low on the scale but can quickly increase.

…Assuming the allegations in Key’s search warrant are correct, the Tribune company spent $17,650.40 to fix the damage, resulting in an increase of 4 levels for causing more than $10,000 and less than $30,000 in damage. Because Keys is charged with causing damage to a computer, he receives another 4 level increase. And because he likely abused a position of trust, he receives another 2 level increase, for a total offense level of 16 — which has a sentencing range between 21 and 27 months for a person in criminal history category I. (That places Keys in “Zone C” of the Sentencing Table, which means the Guidelines don’t authorize a grant of probation, though the judge could impose probation if she wanted to.)

As a country and a criminal justice system, we’ve been down this road of excessive punishment before: with drugs. Prosecutors and lawmakers need to take a step back and think long and hard about whether we’re going down the same road with their zeal towards computer crimes.

Hanni Fakhoury

Hanni Fakhoury is a former federal public defender and a current Staff Attorney at the Electronic Frontier Foundation (EFF) who focuses on criminal law, privacy, and free speech litigation and advocacy. Follow him on Twitter @hannifakhoury.

For many years, there was a radical disparity in how federal law treated crack and powder cocaine. A person who possessed 5 grams of crack cocaine could be charged with a felony. But it took 500 grams of powder cocaine to get the same felony punishment. This 100-to-1 ratio was born in the 1980s, when Congress was concerned that crack — predominantly used in urban areas by people of color — was becoming an epidemic and a violent one at that.

This extreme disparity only ensured that a disproportionate amount of people of color ended up in prison. Receiving little rehabilitation while incarcerated and struggling to find work or otherwise reintegrate into society once released, convicts would return to crime, get caught, and be sentenced as a recidivist. That meant a longer jail sentence and the continuation of a destructive cycle.

But over the last few years, there has been significant progress towards narrowing this gap. In 2010, Congress passed — and President Obama signed — legislation that reduced the 100-to-1 ratio down to 18-to-1. Attorney General Eric Holder upped the ante this past summer, announcing a series of broader policy reforms that would work to reduce harsh drug sentences by giving prosecutors flexibility to avoid charging a defendant with crimes that carry mandatory minimum prison sentences. And at the end of last year, President Obama pardoned thirteen people and commuted the sentences of eight prisoners who were sentenced under the old ratio and were therefore serving long sentences for crack cocaine convictions.

These reforms took over 20 years. But as technology marches faster than the slow pace of legal change, we don’t have that kind of time to apply the lessons learned from the failed “war on drugs” experiment to the growing wave of computer crime prosecutions.

And It Doesn’t Even Work

The government’s mindset is that technology and the internet can wreak havoc. Disseminating the login credentials of a powerful media company to vandalize a few websites, for example, has the potential to cause more damage than spray-painting graffiti on a highway sign.

That is undoubtedly true. But will aggressive, excessive punishment really deter others here? This country’s experience with the war on drugs suggests the answer is a resounding no.

The problem is pronounced with much of the politically motivated online crime that has splashed the headlines. As a generation of people who grew up plugged in and online realized there is no way to voice their complaints within the mainstream political establishment, they decided to take their protests to the medium they know best. Harsh punishment is only going to reinforce and harden that generation’s pessimism towards the government.

This is not to say that “anything goes” online or that crimes should go unpunished. But we need to question whether locking people up for long periods of time — without addressing the root concerns about concentrated political power, civil liberties abuses, and transparency — will have the effect of deterrence or worse yet, a hardened cynicism that perpetuates the endless cycle of punishment. That’s true of even non-politically motivated cybercrime, or really, all crime … whether it involves a computer or not.

* * *

There may be hope yet.

Recently, 11 members of the “PayPal 14,” a group of individuals affiliated with Anonymous who DDoS’d PayPal in 2010 to protest its refusal to process donations to Wikileaks, pleaded guilty to felony CFAA charges in federal court. But their sentences were put off for one year (rather than receiving tough prison sentences). If the defendants stay out of trouble during that time, the felony convictions will be dropped when they come back to court, and they’ll be sentenced to misdemeanors instead. Most of the defendants will avoid jail time, and will have to pay $5,600 to PayPal in restitution.

But for most of these defendants, the experience of going through a federal criminal prosecution is going to be enough to deter them from doing something similar again. Not to mention the financial penalties and misdemeanor convictions. And for those who aren’t deterred? The punishment will appropriately increase the next time. There’s just no need to excessively punish all wrongdoers.

We shouldn’t let the government’s fear of computers justify disproportionate punishment. The type of graduated punishment in the Paypal 14 case is routine in low-level, physical-world criminal cases brought in state courts throughout the country; it can work with computer crime too.

It’s time for the government to learn from its failed 20th century experiment over-punishing drugs and start making sensible decisions about high-tech punishment in the 21st century. It can’t afford to be behind when it comes to tech, especially as the impacts of “cyber-panic” on users — beyond hackers — are very real.